ICMP requests from internet to WAN IP

erhtun · June 20, 2020, 2:37pm

I am using hap ac^2 router by connected(on ether1) with ISP cable modem. When I look connections tab in winbox there are icmp requests from internet to WAN IP. I can drop and log this packets with below filter rule.

add action=drop chain=input icmp-options=8:0-255 in-interface=ether1 protocol=icmp log-prefix=drop-icmp-echo-from-internet

log details

in:ether1 out:(unknown 0), src-mac 00:--:--:--:--:46, proto ICMP (type 8, code 0), 35.180.124.13->WANIP, len 84
in:ether1 out:(unknown 0), src-mac 00:--:--:--:--:46, proto ICMP (type 8, code 0), 15.188.27.199->WANIP, len 84
in:ether1 out:(unknown 0), src-mac 00:--:--:--:--:46, proto ICMP (type 8, code 0), 52.47.192.179->WANIP, len 84
in:ether1 out:(unknown 0), src-mac 00:--:--:--:--:46, proto ICMP (type 8, code 0), 35.180.187.22->WANIP, len 84
in:ether1 out:(unknown 0), src-mac 00:--:--:--:--:46, proto ICMP (type 8, code 0), 52.47.192.179->WANIP, len 84
in:ether1 out:(unknown 0), src-mac 00:--:--:--:--:46, proto ICMP (type 8, code 0), 35.180.39.157->WANIP, len 84

Are those requests normal or should I drop them for security reasons.

jvanhambelgium · June 20, 2020, 2:46pm

Typical “ping” indeed. This is only “noise” and you should not worry.
Sure you could filter them out, it might prevent the other side(s) to “probe” more ports if they find out your router replies to ping.

I have thousands and thousands on a daily basis…

mkx · June 20, 2020, 2:50pm

Those are ICMP echo requests … and are benign strictly speaking. But they might indicate preparation for some more harmful activities, such as port scanning etc. Whether blocking those adds to security … well that’s subjective decission of every network admin out there.

anav · June 20, 2020, 3:39pm

Normally I have had ICMP set to allow on the input chain - I believe this is the default rule. One can always disable it. (last rule of input chain is drop all else)
I have used a config that has all kinds of fancy jump rules for ICMP traffic however, resulting in significant losses on traceroute and WinMTR testing.
So dont recommend the fancy sheite anymore.

mozerd · June 20, 2020, 4:05pm

ICMP: The Good, the Bad, and the Ugly
https://blog.securityevaluators.com/icmp-the-good-the-bad-and-the-ugly-130413e56030?gi=c2433c26dec8

By disabling the ICMP protocol, diagnostics, reliability, and network performance may suffer as a result (see page 4–4 of [2]). Important mechanisms are disabled when the ICMP protocol is restricted.

Best to leave ICMP on … use a good blacklist like MOAB and never have to worry about scans and incoming invasions.

erhtun · June 21, 2020, 12:31pm

Thank you all for your answers. I have removed drop rule in filters.